secure logistic regression inference based on HE and SGX (#151)

* inital commit

Signed-off-by: Xiaojun Huang <xiaojun.huang@intel.com>

* first commit of lr_sgx_he solution

Signed-off-by: Huang, Xiaojun <xiaojun.huang@intel.com>

* infer client and infer server communicate via grpc

Signed-off-by: Huang, Xiaojun <xiaojun.huang@intel.com>

* add dockerfile and build scripts

Signed-off-by: Huang, Xiaojun <xiaojun.huang@intel.com>

* update dockerfile and build scripts

Signed-off-by: Huang, Xiaojun <xiaojun.huang@intel.com>

* Create README.md

* Update README.md

* update license wording in each file

Signed-off-by: Huang, Xiaojun <xiaojun.huang@intel.com>

* update the license date of gflags.cmake

Signed-off-by: Huang, Xiaojun <xiaojun.huang@intel.com>

* add the doc of lr_infer_he_sgx

Signed-off-by: Huang, Xiaojun <xiaojun.huang@intel.com>

Signed-off-by: Xiaojun Huang <xiaojun.huang@intel.com>
Signed-off-by: Huang, Xiaojun <xiaojun.huang@intel.com>
Co-authored-by: Zhu Yunge <yunge.zhu@intel.com>

Author: xhuan28

cczoo/lr_infer_he_sgx/CMakeLists.txt

@@ -0,0 +1,32 @@
+# Copyright (c) 2022 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+cmake_minimum_required(VERSION 3.15)
+
+project(lr_infer_he_sgx)
+
+option(ENABLE_INTEL_HEXL ON)
+
+set(CMAKE_CXX_STANDARD 17)
+set(CMAKE_CXX_EXTENSIONS OFF)
+set(CMAKE_CXX_STANDARD_REQUIRED ON)
+
+include(cmake/seal.cmake)
+include(cmake/grpc.cmake)
+include(cmake/gflags.cmake)
+
+include_directories("${CMAKE_CURRENT_BINARY_DIR}")
+include_directories("${SEAL_INC_DIR}")
+
+add_subdirectory(src)

cczoo/lr_infer_he_sgx/Dockerfile

@@ -0,0 +1,117 @@
+#
+# Copyright (c) 2022 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# https://github.com/oscarlab/graphene/blob/master/Tools/gsc/images/graphene_aks.latest.dockerfile
+
+FROM ubuntu:20.04
+
+ENV DEBIAN_FRONTEND=noninteractive
+ENV INSTALL_PREFIX=/usr/local
+ENV LD_LIBRARY_PATH=${INSTALL_PREFIX}/lib:${INSTALL_PREFIX}/lib/x86_64-linux-gnu:${LD_LIBRARY_PATH}
+ENV PATH=${INSTALL_PREFIX}/bin:${LD_LIBRARY_PATH}:${PATH}
+ENV LC_ALL=C.UTF-8 LANG=C.UTF-8
+
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends apt-utils \
+    && apt-get install -y \
+        ca-certificates \
+        build-essential \
+        autoconf \
+        libtool \
+        python3-pip \
+        python3-dev \
+        git \
+        zlib1g-dev \
+        wget \
+        unzip \
+        vim \
+        jq
+
+RUN echo "deb [trusted=yes arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main" | tee /etc/apt/sources.list.d/intel-sgx.list ;
+RUN wget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | apt-key add - \
+    && apt-get update
+
+# Install SGX-PSW
+RUN apt-get install -y libsgx-pce-logic libsgx-ae-qve libsgx-quote-ex libsgx-quote-ex-dev libsgx-qe3-logic sgx-aesm-service
+
+# Install SGX-DCAP
+RUN apt-get install -y libsgx-dcap-ql-dev libsgx-dcap-default-qpl libsgx-dcap-quote-verify-dev libsgx-dcap-default-qpl-dev
+
+# Gramine
+ENV GRAMINEDIR=/gramine
+ENV SGX_DCAP_VERSION=DCAP_1.11
+ENV GRAMINE_VERSION=v1.2
+ENV ISGX_DRIVER_PATH=${GRAMINEDIR}/driver
+ENV WERROR=1
+ENV SGX=1
+
+RUN apt-get install -y bison gawk nasm python3-click python3-jinja2 ninja-build pkg-config \
+    libcurl4-openssl-dev libprotobuf-c-dev python3-protobuf protobuf-c-compiler \
+    libgmp-dev libmpfr-dev libmpc-dev libisl-dev
+
+RUN pip3 install --upgrade pip \
+    && pip3 install toml meson cryptography
+
+RUN git clone https://github.com/gramineproject/gramine.git ${GRAMINEDIR} \
+    && cd ${GRAMINEDIR} \
+    && git checkout ${GRAMINE_VERSION}
+
+RUN git clone https://github.com/intel/SGXDataCenterAttestationPrimitives.git ${ISGX_DRIVER_PATH} \
+    && cd ${ISGX_DRIVER_PATH} \
+    && git checkout ${SGX_DCAP_VERSION}
+
+RUN cd ${GRAMINEDIR} \
+    && LD_LIBRARY_PATH="" meson setup build/ --buildtype=debug -Dprefix=${INSTALL_PREFIX} -Ddirect=enabled -Dsgx=enabled -Ddcap=enabled -Dsgx_driver=dcap1.10 -Dsgx_driver_include_path=${ISGX_DRIVER_PATH}/driver/linux/include \
+    && LD_LIBRARY_PATH="" ninja -C build/ \
+    && LD_LIBRARY_PATH="" ninja -C build/ install
+
+RUN echo "enabled=0" > /etc/default/apport
+RUN echo "exit 0" > /usr/sbin/policy-rc.d
+
+# Clean tmp files
+RUN apt-get clean all \
+    && rm -rf /var/lib/apt/lists/* \
+    && rm -rf ~/.cache/* \
+    && rm -rf /tmp/*
+
+RUN gramine-sgx-gen-private-key
+
+RUN mkdir -p ${INSTALL_PREFIX} \
+    && wget -q -O cmake-linux.sh https://github.com/Kitware/CMake/releases/download/v3.19.6/cmake-3.19.6-Linux-x86_64.sh \
+    && sh cmake-linux.sh -- --skip-license --prefix=${INSTALL_PREFIX} \
+    && rm cmake-linux.sh
+
+ENV WORKSPACE=/lr_infer_he_sgx
+WORKDIR ${WORKSPACE}
+
+COPY src ./src
+COPY datasets ./datasets
+COPY cmake ./cmake
+COPY CMakeLists.txt \
+     start_service.sh \
+     infer_server.manifest.template \
+     Makefile ./
+
+RUN cmake -S. -Bbuild \
+    && cmake --build build \
+    && cp build/src/infer_server . \
+    && cp datasets/lrtest_mid_lrmodel.csv . \
+    && make clean \
+    && ENTRYPOINT=infer_server make
+
+RUN echo "/lr_infer_he_sgx/start_service.sh" >> ~/.bashrc
+
+ENV http_proxy=
+ENV https_proxy=

cczoo/lr_infer_he_sgx/Makefile

@@ -0,0 +1,61 @@
+#
+# Copyright (c) 2022 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+################################# CONSTANTS ###################################
+
+THIS_DIR := $(dir $(lastword $(MAKEFILE_LIST)))
+ARCH_LIBDIR ?= /lib/$(shell $(CC) -dumpmachine)
+ENTRYPOINT ?= ""
+
+ifeq ($(DEBUG),1)
+GRAMINE_LOG_LEVEL = debug
+else
+GRAMINE_LOG_LEVEL = error
+endif
+
+.PHONY: all
+all: infer_server.manifest
+ifeq ($(SGX),1)
+all: infer_server.manifest.sgx infer_server.sig infer_server.token
+endif
+
+################################ MANIFEST ###############################
+
+infer_server.manifest: infer_server.manifest.template
+	gramine-manifest \
+		-Dlog_level=$(GRAMINE_LOG_LEVEL) \
+		-Dentrypoint=$(ENTRYPOINT) \
+		-Darch_libdir=$(ARCH_LIBDIR) \
+		$< >$@
+
+infer_server.manifest.sgx: infer_server.manifest
+	gramine-sgx-sign \
+		--manifest $< \
+		--output $@
+
+infer_server.sig: infer_server.manifest.sgx
+
+infer_server.token: infer_server.sig
+	gramine-sgx-get-token --output $@ --sig $<
+
+################################## CLEANUP ####################################
+
+.PHONY: clean
+clean:
+	$(RM) *.token *.sig *.manifest.sgx *.manifest
+	$(RM) -r scripts/__pycache__
+
+.PHONY: distclean
+distclean: clean

cczoo/lr_infer_he_sgx/README.md

@@ -0,0 +1,49 @@
+# Secure Logistic Regression Inference with HE and Intel SGX
+## Introduction
+Nowadays, a wide variety of applications are available as SaaS applications. More and more AI workloads are deployed to the cloud. 
+AI model providers benefit from the powerful data computing capability of the cloud and reduce the difficulty of maintaining a complex AI inference service. 
+However, most of AI models are treated as the intellectual properties of AI model provider. 
+How to protect AI models from disclosing to other parties including CSP is a problem that we need to address.  
+On the other hand, users want to obtain precise inference result by utilizing the AI model which is trained from massive data. 
+However, they don’t want to reveal their privacy data for the inference. Although, they can do AI inference locally by downloading the AI model to their end devices. 
+But it is not feasible when the AI workload is very heavy, because the computing capability of most end devices, such as smart phones, are limited. 
+Moreover, model providers don’t intend to share their AI models to end users directly either.
+
+## Solution Description
+To address the above two problems, we developed a solution of secure AI inference based on SGX and HE. In this solution, we assume the AI workload executes on an enclave of cloud server with SGX enabled. 
+To convince the model provider to believe their AI workloads are not tampered and run in an enclave, the cloud server generates quote and sends to model provider for remote attestation. 
+After passing the quote verification, the model provider deploys the AI workload to the cloud and launch the AI inference service.  
+The user generates a HE key pair locally and encrypts privacy data for inference with the public key. The encrypted data is transferred to the cloud server and do inference there. 
+After the inference is completed, the encrypted result is sent back to the user through gRPC. User decrypts it with the private key and obtains the plaintext of finial result.
+
+![image](https://user-images.githubusercontent.com/27326867/197438740-9923ca2e-0911-40a0-bf5e-d0bcebc78609.png)
+
+## Build and Run
+### Prerequisite
+- A server with Intel SGX enabled
+- Docker
+### Build Docker Image
+```
+git clone https://github.com/intel/confidential-computing-zoo
+cd confidential-computing-zoo/cczoo/lr_infer_he_sgx
+./build_docker_image.sh
+```
+### Execution
+Open 2 terminals, one for the inference client that has data to be inferred and the other for the inference server that has a AI model.
+- Inference server
+```
+./start_container.sh server
+```
+- Inference client
+```
+./start_container.sh client
+```
+### Result
+>EncryptionParameters: wrote 91 bytes  
+PublicKey: wrote 709085 bytes  
+RelinKeys: wrote 3545129 bytes  
+HE inference result - accuracy: 0.944  
+
+## Reference
+Intel HE Toolkit: https://github.com/intel/he-toolkit  
+Intel SGX: https://www.intel.com/content/www/us/en/developer/tools/software-guard-extensions/overview.html

cczoo/lr_infer_he_sgx/build_docker_image.sh

@@ -0,0 +1,31 @@
+#
+# Copyright (c) 2022 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#!/bin/bash
+set -e
+
+# You can remove no_proxy and proxy_server if your network doesn't need it
+no_proxy="localhost,127.0.0.1"
+proxy_server="" # your http proxy server
+
+cd `dirname $0`
+
+DOCKER_BUILDKIT=0 docker build \
+    --build-arg no_proxy=${no_proxy} \
+    --build-arg http_proxy=${proxy_server} \
+    --build-arg https_proxy=${proxy_server} \
+    -f Dockerfile \
+    -t lr_infer_he_sgx:latest \
+    .

cczoo/lr_infer_he_sgx/cmake/gflags.cmake

@@ -0,0 +1,36 @@
+# Copyright (C) 2022 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+
+include(ExternalProject)
+
+# If user has not specified an install path, override the default usr/local to
+# be the build directory of the original target.
+if (NOT ${CMAKE_INSTALL_PREFIX})
+  set (CMAKE_INSTALL_PREFIX ${CMAKE_CURRENT_BINARY_DIR})
+endif()
+
+set(GFLAGS_GIT_REPO_URL https://github.com/gflags/gflags.git)
+set(GFLAGS_GIT_LABEL v2.2.2)
+
+ExternalProject_Add(
+  ext_gflags
+  PREFIX ext_gflags
+  GIT_REPOSITORY ${GFLAGS_GIT_REPO_URL}
+  GIT_TAG ${GFLAGS_GIT_LABEL}
+  INSTALL_COMMAND ""
+  UPDATE_COMMAND ""
+  EXCLUDE_FROM_ALL TRUE)
+
+# ------------------------------------------------------------------------------
+
+ExternalProject_Get_Property(ext_gflags SOURCE_DIR BINARY_DIR)
+
+add_library(libgflags INTERFACE)
+add_dependencies(libgflags ext_gflags)
+message(STATUS "libgflags include: ${BINARY_DIR}/include/")
+message(STATUS "libgflags library: ${BINARY_DIR}/lib/")
+
+target_include_directories(libgflags SYSTEM
+                           INTERFACE ${BINARY_DIR}/include)
+target_link_libraries(libgflags
+                      INTERFACE ${BINARY_DIR}/lib/libgflags.a)

cczoo/lr_infer_he_sgx/cmake/grpc.cmake

@@ -0,0 +1,29 @@
+# Copyright (c) 2022 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+message(STATUS "Using gRPC via add_subdirectory (FetchContent).")
+include(FetchContent)
+FetchContent_Declare(
+  grpc
+  GIT_REPOSITORY https://github.com/grpc/grpc.git
+  GIT_TAG        v1.38.1)
+FetchContent_MakeAvailable(grpc)
+
+# Since FetchContent uses add_subdirectory under the hood, we can use
+# the grpc targets directly from this build.
+set(PROTOBUF_LIBPROTOBUF libprotobuf)
+set(REFLECTION grpc++_reflection)
+set(PROTOBUF_PROTOC $<TARGET_FILE:protoc>)
+set(GRPC_GRPCPP grpc++)
+set(GRPC_CPP_PLUGIN_EXECUTABLE $<TARGET_FILE:grpc_cpp_plugin>)